The Federal Bureau of Investigation (FBI) has announced in a security alert that nation-state hackers have breached the networks of two US municipalities last year via a critical vulnerability designed to affect Pulse Secure VPN servers.
In the published notification, the Bureau identified a US municipal government and a US financial entity as the victims of the incident. According to them, hackers have used the CVE-2019-0604 vulnerability in Microsoft SharePoint servers to breach the two municipalities' networks. This had enabled the attackers to perform malicious activities, including “exfiltration of user information, escalation of administrative privileges, and the dropping of web shells for remote/backdoor persistent access."
According to the post, the US financial entity was first hit by the attack in August 2019. This was later followed by another breach involving a US municipal government network impacted by the same type of vulnerability.
Upon investigation, the FBI claimed that “unidentified nation-state actors are involved in both compromises; however, it remains unclear if these are isolated incidents” basing on the complexity of the Tactics, Techniques, and Procedures (TTPs) used in the two attacks.
“The SharePoint server was used as a pivot point on the network, allowing unauthorized access via compromised local administrator credentials. At least five machines on the municipality's network contained evidence of similarly named executables staged in the C:\ProgramData\directory. Over 50 hosts on the network showed evidence of Mimikatz execution. There is also evidence that the actors used the kerberoasting technique to target Kerberos service tickets. The actors were able to successfully gain access to several domain administrator accounts,” the post explains.
“The intrusion appears to have been detected while the actors were still in the reconnaissance phase of the intrusion, so their actual objectives on target could not be determined,” it added.
The Bureau, however, clarified that while the intruders were found to had attempted to access several Outlook webmail accounts, current investigation shows that the attackers were unsuccessful “due to the accounts being on separate domains requiring different credentials not obtained by the intruder.”
Moreover, “there was no evidence that any data was compromised or exfiltrated, and the intruder(s) seemingly did not install any persistence capability or foothold in the network,” the FBI added.
The announcement of the incidents now serves as an extension of the list of other US municipalities attacked by the CVE-2019-0604 SharePoint vulnerability.
As a word of advice, the FBI recommends that municipalities review the National Security Agency (NSA) cybersecurity advisory on mitigating VPN vulnerabilities and take the necessary measures to shield themselves from the possibility of cyberattacks.
